CLAIMS 

What is claimed is: 

1. In a client system that includes various client system components, and 
that is configured to receive one or more scripts from one or more script sources, the 
client system also including one or more objects that are configured to control 
properties and features of the client system components, a method of selectively 
granting or denying a script access to one or more of the objects, comprising acts of: 

receiving, at the client system, a script from a script source, the script 
requesting access to a particular system object; 

accessing an access control data structure that is independent of the 
script and making a determination that the script is authorized to access the 
particular system object based on one or more permissions that are associated 
with the script source and the particular system within the access control data 
structure; 

selectively granting the script access to the particular system object 
based on the determination. 
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2. A method as defined in claim 1, wherein: 

the method further comprises an act of storing, at the client system the 
access control data structure, wherein the access control data structure includes 
having one or more entries, each entry being associated with an object and 
including a source identifier representing one or more information sources and a 
permission identifier defining a permission; and 

the act of making the determination comprises acts of: 

identifying an entry of the access control data structure that is 

associated with the particular object and has a source identifier 

representing the information source from which the script has been 

received; and 

applying the permission defined by the permission identifier 
included in the identified entry to the script. 
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3. A method as defined in claim 1, wherein the particular object is a 
document object relating to a document displayed by the browser. 



^ V. c^^i 4. A method as defined in claim 1, wherein the particular object is a 
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5. A method as defined in claim 1, wherein the particular object is a system 
object relating to a component of the client system other than the browser and any 
document displayed by the browser. 
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In a client system that includes various client system components, and 



that is configured to receive one or more scripts from one or more script sources, the 
client system also including one or more objects that are configured to control 
properties and features of the client system components, a method of selectively 
granting or denying a script access to one or more of the objects, comprising acts of: 

storing at the client system an access control data structure having one or more 
entries, each entry being associated with an object for which access is to be controlled 
and including a source identifier representing one or more script sources and a 
permission identifier defining a permission; 

receiving a script from a particular script source, wherein the script, if 

fiiUy executed by the browser, would request access to a particular object; 

identifying an entry of the access control data structure that is associated 

with the particular object and has a source identifier representing the particular 

script source; and 

applying the permission defined by the permission identifier included in the 
identified entry to the script such that access by the script to the particular object is 
based upon one or more permissions that are associated with the script source and the 




particular system object. 



associated with and controls access to only one system object. 



7. 



A method as defined in claim 6, wherein the identified entry is 
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8. A method as defined in claim 6, wherein the appUed permission is a 
write permission, the method further comprising: 

an act of executing the script such that the script accesses the particular 
object; and 

an act of modifying the particular object by the script. 



9. A method as defined in claim 6, wherein the applied permission specifies 
that access to the particular object by the script is denied, the method fiirther comprising 
an act of denying the script access to the particular object. 

10. A method as defined in claim 6, wherein the source identifier 
corresponds to a universal resource locator of the one or more script sources that the 
source identifier represents. 
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11. A method as defined in claim 10, wherein the act of identifying an entry 
of the access control data structure comprises an act of comparing the source identifiers 
of the entries with the universal resource locator of the script source. 
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12. A method as defined in claim 6, wherein the script, if fully executed, 
would request access to at least two system objects, including the particular object and a 
second object, the method further comprising acts of: 

identifying a second entry of the access control data structure, wherein the 
second entry is associated with the second object the source identifier of the 
second entry represents the particular script source; and 

applying the permission defined by the permission identifier included in 
the second entry to the script such that access by the script to the second object 
is controlled. 

13. A method as defined in claim 12, wherein the permission defmed by the 
permission identifier included in the identified entry is different than the permission 
defined by the permission identifier included in the second entry. 

14. A method as defined in claim 6, further comprising acts of: 
receiving a second script from the particular script source, wherein the second 
script, if fully executed by the browser, would request access to a second object; 

identifying a second entry of the access control data structure, wherein 
the second entry is associated with the second object and the source identifier of 
the second entry represents the particular script source; and 

applying the permission defined by the permission identifier included in 
the second entry to the second script such that access by the second script to the 
second object is controlled. 
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15. A method as defined in claim 14, wherein the permission defined by the 
permission identifier included in the identified entry is different than the permission 
defined by the permission identifier included in the second entry. 
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16. A computer program product for use in a client system that includes 
various client system components, and that is configured to receive one or more scripts 
from one or more script sources, the client system also including one or more objects 
that are configured to control properties and features of the client system components, 
the computer program product comprising: 

one or more computer-readable media having computer-executable 
instructions for implementing a method of selectively granting or denying a 
script access to one or more of the objects, comprising acts of: 

receiving, at the client system, a script from a script source, the 
script requesting access to a particular system object; 

accessing an access control data structure that is independent of 
the script and making a determination that the script is authorized to 
access the particular system object based on one or more permissions 
that are associated with the script source and the particular system within 
the access control data structure; 

selectively granting the script access to the particular system 
object based on the determination. 
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17. A computer program product as recited in claim 16, wherein: 

the method further comprises an act of storing, at the client system the 
access control data structure, wherein the access control data structure includes 
one or more entries, each entry being associated with an object and including a 
source identifier representing one or more information sources and a permission 
identifier defining a permission; and 

the act of making the determination comprises acts of: 

identifying an entry of the access control data structure that is 

associated with the particular object and has a source identifier 

representing the information source fi:om which the script has been 

received; and 

applying the permission defined by the permission identifier 
included in the identified entry to the script. 

18. A computer program product as recited in claim 17, wherein the applied 
permission is a write permission, the method further comprising: 



identifier corresponds to a universal resource locator of the one or more script sources 
that the source identifier represents. 



an act of executing the script such that the script accesses the particular 




object; and 



19. A computer program product as recited in claim 17, wherein the source 



an act of modifying the particular object by the script. 
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20. A computer program product as recited in claim 17, wherein the act of 
identifying an entry of the access control data structure comprises an act of comparing 
the source identifiers of the entries with the universal resource locator of the script 
source. 

21. A computer program product as recited in claim 16, wherein the 
particular object is a document object relating to a document displayed by the browser. 

22. A computer program product as recited in claim 16, wherein the 
particular object is a browser object relating to the browser other than any document 
displayed by the browser. 
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